SaltStack - Authentication Bypass (CVE-2021-25281)
47Exploiting IPs reported
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
CrowdSec analysis
CVE-2021-25281 is a critical vulnerability in SaltStack Salt before version 3002.5, where the salt-api fails to enforce eauth credentials for the wheel_async client. This flaw allows remote attackers to execute arbitrary wheel modules on the Salt master, potentially leading to full system compromise.
CrowdSec has been tracking this vulnerability and its exploits since 7th of January 2026.
Data from the CrowdSec community indicates that exploitation of CVE-2021-25281 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2021-25281 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2021-25281 is currently experiencing high visibility and active exploitation across the internet.
Attackers exploit this vulnerability by sending unauthenticated POST requests to the /run endpoint with a JSON body specifying the client parameter as wheel_async, allowing them to bypass authentication and execute arbitrary wheel modules on the Salt master.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.